Documentation/usb/authorization.rst

Source file repositories/reference/linux-study-clean/Documentation/usb/authorization.rst

File Facts

System
Linux kernel
Corpus path
Documentation/usb/authorization.rst
Extension
.rst
Size
3842 bytes
Lines
130
Domain
Support Tooling And Documentation
Bucket
Documentation
Inferred role
Support Tooling And Documentation: documentation
Status
atlas-only

Why This File Exists

Repository support layer: documentation, build tooling, samples, user-space helper tools, generated initramfs support, licenses, and validation utilities.

Dependency Surface

Detected Declarations

Annotated Snippet

==============================================================
Authorizing (or not) your USB devices to connect to the system
==============================================================

Copyright (C) 2007 Inaky Perez-Gonzalez <inaky@linux.intel.com> Intel Corporation

This feature allows you to control if a USB device can be used (or
not) in a system. This feature will allow you to implement a lock-down
of USB devices, fully controlled by user space.

As of now, when a USB device is connected it is configured and
its interfaces are immediately made available to the users.  With this
modification, only if root authorizes the device to be configured will
then it be possible to use it.

Usage
=====

Authorize a device to connect::

	$ echo 1 > /sys/bus/usb/devices/DEVICE/authorized

De-authorize a device::

	$ echo 0 > /sys/bus/usb/devices/DEVICE/authorized

Set new devices connected to hostX to be deauthorized by default (ie:
lock down)::

	$ echo 0 > /sys/bus/usb/devices/usbX/authorized_default

Remove the lock down::

	$ echo 1 > /sys/bus/usb/devices/usbX/authorized_default

By default, all USB devices are authorized.  Writing "2" to the
authorized_default attribute causes the kernel to authorize by default
only devices connected to internal USB ports.


Example system lockdown (lame)
------------------------------

Imagine you want to implement a lockdown so only devices of type XYZ
can be connected (for example, it is a kiosk machine with a visible
USB port)::

  boot up
  rc.local ->

   for host in /sys/bus/usb/devices/usb*
   do
      echo 0 > $host/authorized_default
   done

Hookup an script to udev, for new USB devices::

 if device_is_my_type $DEV
 then
   echo 1 > $device_path/authorized
 done


Now, device_is_my_type() is where the juice for a lockdown is. Just
checking if the class, type and protocol match something is the worse
security verification you can make (or the best, for someone willing
to break it). If you need something secure, use crypto and Certificate
Authentication or stuff like that. Something simple for an storage key
could be::

Annotation

Implementation Notes